add_password in pam_radius_auth.c in pam_radius 1.4.0 does not correctly check the length of the input password, and is vulnerable to a stack-based buffer overflow during memcpy(). An attacker could send a crafted password to an application (loading the pam_radius library) and crash it. Arbitrary code execution might be possible, depending on the application, C library, compiler, and other factors.
Software | From | Fixed in |
---|---|---|
debian / debian_linux | 8.0 | 8.0.x |
debian / debian_linux | 9.0 | 9.0.x |
canonical / ubuntu_linux | 12.04 | 12.04.x |
canonical / ubuntu_linux | 14.04 | 14.04.x |
canonical / ubuntu_linux | 16.04 | 16.04.x |
canonical / ubuntu_linux | 18.04 | 18.04.x |
canonical / ubuntu_linux | 19.10 | 19.10.x |
freeradius / pam_radius | 1.4.0 | 1.4.0.x |